Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety

· Source: Computation and Language · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Robotics & Autonomous Systems, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

"Boiling the Frog" is a new benchmark designed to evaluate the safety of tool-using AI models, specifically those deployed in corporate and office environments, against incremental attacks. Unlike traditional safety benchmarks that focus on text output, this benchmark assesses what an AI agent does within a persistent workspace over multiple turns. Scenarios begin with benign edits, gradually introducing a risk-bearing request, and score whether the final artifact state becomes unsafe. The benchmark's risk taxonomy is grounded in "Boiling the Frog" risks, the EU AI Act Annex I and Annex III high-risk contexts, and the EU AI Act's Code of Practice on General-Purpose AI (GPAI). Across a panel of nine models, the aggregate strict attack success rate (ASR) was 44.4%. Individual model ASRs varied significantly, from 20.5% for Claude Haiku 4.5 to 92.9% for Gemini 3.1 Flash Lite, with Seed 2.0 Lite also exceeding 80%. Code of Practice loss-of-control scenarios showed an average ASR of 93.3%.

Key takeaway

For AI Security Engineers deploying agentic models in corporate environments, you must prioritize robust testing against incremental, multi-turn attacks. The high attack success rates, especially for models like Gemini 3.1 Flash Lite at 92.9%, indicate significant vulnerabilities. You should implement stateful safety benchmarks, like "Boiling the Frog," to identify and mitigate risks before deployment, particularly for systems falling under EU AI Act high-risk categories.

Key insights

The "Boiling the Frog" benchmark reveals that AI agents are highly susceptible to incremental, multi-turn safety attacks in corporate settings.

Principles

Method

The "Boiling the Frog" benchmark uses stateful multi-turn scenarios where benign workspace edits precede a risk-bearing request. It scores whether the resulting artifact state becomes unsafe, organized by a three-level operational risk taxonomy.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, AI Ethicist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Computation and Language.